CISM Certified Information Security Manager

Transcription

1 CISM Certified Information Security Manager Firebrand Custom Designed Courseware

2 Logistics Start Time Breaks End Time Fire escapes Instructor Introductions

3 Introduction to Information Security Management

4 Course Mission Educational Value Both theoretical and practical Up-to-date Relevant

5 CISM Certified Information Security Manager Designed for personnel that have (or want to have) responsibility for managing an Information Security program Tough but very good quality examination Requires understanding of the concepts behind a security program not just the definitions

6 CISM Exam Review Course Overview The CISM Exam is based on the CISM job practice. The ISACA CISM Certification Committee oversees the development of the exam and ensures the currency of its content. There are four content areas that the CISM candidate is expected to know.

7 Job Practice Areas

8 Domain Structure Information Security Governance Reports To Mandates Information Risk Management and Compliance Deploys Influences Information Security Program Development and Management Requires Information Security Incident Management

9 CISM Qualifications To earn the CISM designation, information security professionals are required to: Successfully pass the CISM exam Adhere to the ISACA Code of Professional Ethics Agree to comply with the CISM continuing education policy Submit verified evidence of five (5) years of work experience in the field of information security.

10 The Examination The exam consists of 200 multiple choice questions that cover the CISM job practice areas. Four hours are allotted for completing the exam See the Job Practice Areas including task Statements and Knowledge Statements listed on the ISACA website

11 Examination Day Be on time!! The doors are locked when the instructions start approximately 30 minutes before examination start time. Bring the admission ticket (sent out prior to the examination from ISACA) and an acceptable form of original photo identification (passport, photo id or drivers license).

12 Completing the Examination Items Bring several #2 pencils and an eraser Read each question carefully Read ALL answers prior to selecting the BEST answer Mark the appropriate answer on the test answer sheet. When correcting an answer be sure to thoroughly erase the wrong answer before filling in a new one. There is no penalty for guessing. Answer every question.

13 Grading the Exam Candidate scores are reported as a scaled score based on the conversion of a candidate s raw score on an exam to a common scale. ISACA uses and reports scores on a common scale from 200 to 800. A candidate must receive a score of 450 or higher to pass. Exam results will be mailed (and ed) out approximately 6-8 weeks after the exam date. Good Luck!

14 End of Introduction Welcome to the CISM course!!

15 2016 CISM Review Course Chapter 1 Information Security Governance

16 Information Security Management The responsible protection of the information assets of the organization Supporting Security Governance and risk management Adoption of a security framework and standards ISACA CISM Review Manual Page 14 16

17 Governance Governance: Ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved: Setting direction through prioritization and decision-making: Monitoring performance and compliance against agreed-on directions and objectives ISACA CISM Review Manual Page 14

18 Examination Content The CISM Candidate understands: Effective security governance framework Building and deploying a security strategy aligned with organizational goals Manage risk appropriately Responsible management of program resources The content area in this chapter will represent approximately 24% of the CISM examination (approximately 48 questions). ISACA CISM Review Manual Page 14

19 Learning Objectives Align the organization s Information security strategy with business goals and objectives Obtain Senior Management commitment Provide support for: Governance Business cases to justify security Compliance with legal and regulatory mandates ISACA CISM Review Manual Page 14

20 Learning Objectives cont. Provide support for: Organizational priorities and strategy Identify drivers affecting the organization Define roles and responsibilities Establish metrics to report on effectiveness of the security strategy ISACA CISM Review Manual Page 14

21 CISM Priorities The CISM must understand: Requirements for effective information security governance Elements and actions required to: Develop an information security strategy Plan of action to implement it ISACA CISM Review Manual Page 14

22 Information Security Governance Information is indispensable to conduct business effectively today Information must be: Available Have Integrity of data and process Be kept confidential as needed Protection of information is a responsibility of the Board of Directors ISACA CISM Review Manual Page 31

23 Information Security Information Protection includes: Accountability Oversight Prioritization Risk Management Compliance (Regulations and Legislation) ISACA CISM Review Manual Page 31

24 Information Security Governance Overview Information security is much more than just IT security (more than technology) Information must be protected at all levels of the organization and in all forms Information security is a responsibility of everyone In all forms paper, fax, audio, video, microfiche, networks, storage media, computer systems ISACA CISM Review Manual Page 31

25 Security Program Priorities Achieve high standards of corporate governance Treat information security as a critical business issue Create a security positive environment Have declared responsibilities

26 Security versus Business Security must be aligned with business needs and direction Security is woven into the business functions Provides Strength Resilience Protection Stability Consistency

27 Security Program Objectives Ensure the availability of systems and data Allow access to the correct people in a timely manner Protect the integrity of data and business processes Ensure no improper modifications Protect confidentiality of information Unauthorized disclosure of information Privacy, trade secrets,

28 Selling the Importance of Information Security Benefits of effective information security governance include: Improved trust in customer relationships Protecting the organization s reputation Better accountability for safeguarding information during critical business activities Reduction in loss through better incident handling and disaster recovery ISACA CISM Review Manual Page 31

29 The First Priority for the CISM Remember that Information Security is a businessdriven activity. Security is here to support the interests and needs of the organization not just the desires of security Security is always a balance between cost and benefit; security and productivity ISACA CISM Review Manual Page 31

30 Corporate Governance

31 Business Goals and Objectives Corporate governance is the set of responsibilities and practices exercised by the board and executive management Goals include: Providing strategic direction Reaching security and business objectives Ensure that risks are managed appropriately Verify that the enterprise s resources are used responsibly ISACA CISM Review Manual Page 32

32 Outcomes of Information Security Governance The six basic outcomes of effective security governance: Strategic alignment Risk management Value delivery Resource optimization Performance measurement Integration ISACA CISM Review Manual Page 32

33 Benefits of Information Security Governance Effective information security governance can offer many benefits to an organization, including: Compliance and protection from litigation or penalties Cost savings through better risk management Avoid risk of lost opportunities Better oversight of systems and business operations Opportunity to leverage new technologies to business advantage ISACA CISM Review Manual Page 32

34 Performance and Governance Governance is only possible when metrics are in place to: Measuring Monitoring Reporting On whether critical organizational objectives are achieved Enterprise-wide measurements should be developed ISACA CISM Review Manual Page 33

35 Governance Roles and Responsibilities Board of Directors/Senior Management Effective security requires senior management support Steering Committee Ensure continued alignment between IT and business objectives CISO Chief Information Security Officer Ensures security is addressed at a senior management level ISACA CISM Review Manual Page 35, 36

36 Governance Roles and Responsibilities cont. System Owners Responsible to ensure that adequate protection is in place to protect systems and the data they process Information Owners Responsible for the protection of data regardless of where it resides or is processed ISACA CISM Review Manual Page 37

37 Gaining Management Support Formal presentation From a business perspective Align security with the business Identify risk and consequences Describe audit and reporting procedures ISACA CISM Review Manual Page 38

38 Communication Channels Track the status of the security program Share security awareness and knowledge of risk Communicate policies and procedures Deliver to all staff at appropriate level of detail ISACA CISM Review Manual Page 38

39 GRC The combination of overlapping activities into a single business process to recognize the importance to senior management of information security and assurance Governance Risk Compliance ISACA CISM Review Manual Page 40

40 BMIS The business model for information security is one approach to show the interraltionship between several elements of a robust security management program: Organization Design and Strategy People Process Technology ISACA CISM Review Manual Page 41

41 BMIS The interaction of these processes is important to provide coordination between the dynamic elements of security: Governance Culture Enablement and Support Emergence Human Factors Architecture ISACA CISM Review Manual Page 42

42 Governance of Third-Party Relationships As organizations move more towards the use of third parties for support (e.g., the Cloud), the need to govern and manage these relationships is of increasing importance. Service providers Outsourced operations Trading partners Merged or acquired organizations ISACA CISM Review Manual Page 43

43 Information Security Metrics A framework that cannot be measured, cannot be trusted. The security program must be accountable for its budget, deliverables and strategy. Meaningful Accurate Cost-effective Repeatable Predictive Actionable Genuine ISACA CISM Review Manual Page 44

44 KPIs and KGIs Indicate attainment of service goals, organizational objectives and milestones. Key Goal Indicators Key Risk Indicators ISACA CISM Review Manual Page 46

45 Security Integration Security needs to be integrated INTO the business processes The goal is to reduce security gaps through organizational-wide security programs Integrate IT with: Physical security Risk Management Privacy and Compliance Business Continuity Management ISACA CISM Review Manual Page 46

46 Areas to Measure (Metrics) Risk Management Value Delivery Resource Management Performance Measurement Incident reporting Benchmarking ISACA CISM Review Manual Page 47

47 Developing Information Security Strategy Information Security Strategy Long term perspective Standard across the organization Aligned with business strategy / direction Understands the culture of the organization Reflects business priorities ISACA CISM Review Manual Page 49

48 The Desired State of Security The desired state of security must be defined in terms of attributes, characteristics and outcomes It should be clear to all stakeholders what the intended security state is ISACA CISM Review Manual Page 53

49 The Desired State cont. One definition of the desired state: Protecting the interests of those relying on information, and the processes, systems and communications that handle, store and deliver the information, from harm resulting from failures of availability, confidentiality and integrity Focuses on IT-related processes from IT governance, management and control perspectives ISACA CISM Review Manual Page 53

50 Elements of a Strategy A security strategy needs to include: Resources needed Constraints A road map Includes people, processes, technologies and other resources A security architecture: defining business drivers, resource relationships and process flows Achieving the desired state is a long-term goal of a series of projects ISACA CISM Review Manual Page 53

51 Business Linkages Business linkages Start with understanding the specific objectives of a particular line of business Take into consideration all information flows and processes that are critical to ensuring continued operations Enable security to be aligned with and support business at strategic, tactical and operational levels ISACA CISM Review Manual Page 53

52 Objectives of Security Strategy The objectives of an information security strategy must Be defined Be supported by metrics (measureable) Capability Maturity Model (CMM) Provide guidance ISACA CISM Review Manual Page 55

53 Balanced Scorecard (BSC) See next slide for diagram Ensures that multiple perspectives are considered when developing a security strategy Seeks balance between competing interests ISACA CISM Review Manual Page 55

54 Balanced Scorecard (BSC) Financial Customer Information Learning Process ISACA CISM Review Manual Page 55

55 The Maturity of the Security Program Using CMM 0: Nonexistent - No recognition by organization of need for security 1: Ad hoc - Risks are considered on an ad hoc basis no formal processes 2: Repeatable but intuitive - Emerging understanding of risk and need for security 3: Defined process - Companywide risk management policy/security awareness 4: Managed and measurable - Risk assessment standard procedure, roles and responsibilities assigned, policies and standards in place 5: Optimized - Organization-wide processes implemented, monitored and managed ISACA CISM Review Manual Page 55

56 The ISO27001:2013 Framework The goal of ISO27001:2013 is to: Establish Implement Maintain, and Continually improve An information security management system Contains: 14 Clauses, 35 Controls Objectives and 114 controls ISACA CISM Review Manual Page 56

57 Risk Management The basis for most security programs is Risk Management: Risk identification Risk Mitigation Ongoing Risk Monitoring and evaluation The CISM must remember that risk is measured according to potential impact on the ability of the business to meet its mission not just on the impact on IT. ISACA CISM Review Manual Page 56

58 Examples of Other Security Frameworks SABSA (Sherwood Applied Business Security Architecture) COBIT COSO Business Model for Information Security Model originated at the Institute for Critical Information Infrastructure Protection ISACA CISM Review Manual Page 49, 61

59 Examples of Other Security Frameworks ISO standards on quality (ISO 9001:2000) Six Sigma Publications from NIST and ISF US Federal Information Security Management Act (FISMA) ISACA CISM Review Manual Page 56

60 Constraints and Considerations for a Security Program Constraints Legal Laws and regulatory requirements Physical Capacity, space, environmental constraints Ethics Appropriate, reasonable and customary Culture Both inside and outside the organization Costs Time, money Personnel Resistance to change, resentment against new constraints ISACA CISM Review Manual Page 59

61 Constraints and Considerations for a Security Program cont. Constraints Organizational structure How decisions are made and by whom, turf protection Resources Capital, technology, people Capabilities Knowledge, training, skills, expertise Time Window of opportunity, mandated compliance Risk tolerance Threats, vulnerabilities, impacts ISACA CISM Review Manual Page 59

62 Security Program Starts with theory and concepts Policy Interpreted through: Procedures Baselines Standards Measured through audit ISACA CISM Review Manual Page 60

63 Architecture Information security architecture is similar physical architecture Requirements definition Design / Modeling Creation of detailed blueprints Development, deployment Architecture is planning and design to meet the needs of the stakeholders Security architecture is one of the greatest needs for most organizations ISACA CISM Review Manual Page 60

64 Using an Information Security Framework Effective information security is provided through adoption of a security framework Defines information security objectives Aligns with business objectives Provides metrics to measure compliance and trends Standardizes baseline security activities enterprise-wide ISACA CISM Review Manual Page 62

65 The Goal of Information Security The goal of information security is to protect the organization s assets, individuals and mission This requires: Asset identification Classification of data and systems according to criticality and sensitivity Application of appropriate controls ISACA CISM Review Manual Page 62

66 Controls Non-IT controls ( Labeling, handling requirements Countermeasures Reduce a vulnerability (reduce likelihood or impact of an incident) Layered Defense ISACA CISM Review Manual Page 63

67 Elements of Risk and Security The next few slides list many factors that go into a Security program. ISACA CISM Review Manual Page 64

68 Information Security Concepts Access Architecture Attacks Auditability Authentication Authorization Availability Business dependency analysis Business impact analysis Confidentiality Countermeasures Criticality Data classification Exposures Gap analysis Governance ISACA CISM Review Manual Page 64-69

69 Information Security Concepts cont. Identification Impact Integrity Layered security Management Nonrepudiation Risk / Residual risk Security metrics Sensitivity Standards Strategy Threats Vulnerabilities Enterprise architecture Security domains Trust models ISACA CISM Review Manual Page 64-69

70 Security Program Elements Policies Standards Procedures Guidelines Controls physical, technical, procedural Technologies Personnel security Organizational structure Skills ISACA CISM Review Manual Page 64-69

71 Security Program Elements cont. Training Awareness and education Compliance enforcement Outsourced security providers Other organizational support and assurance providers Facilities Environmental security ISACA CISM Review Manual Page 64-69

72 Centralized versus Decentralized Security Which is better? Consistency versus flexibility Central control versus Local ownership Procedural versus responsive Core skills versus distributed skills Visibility to senior management versus visibility to users and local business units ISACA CISM Review Manual Page 65

73 Audit and Assurance of Security Objective review of security risk, controls and compliance Assurance regarding the effectiveness of security is a part of regular organizational reporting and monitoring ISACA CISM Review Manual Page 66

74 Ethical Standards Rules of behaviour Legal Corporate Industry Personal ISACA CISM Review Manual Page 68

75 Ethical Responsibility Responsibility to all stakeholders Customers Suppliers Management Owners Employees Community ISACA CISM Review Manual Page 68

76 Evaluating the Security Program Metrics are used to measure results Measure security concepts that are important to the business Use metrics that can be used for each reporting period Compare results and detect trends ISACA CISM Review Manual Page 71

77 Effective Security Metrics Set metrics that will indicate the health of the security program Incident management Degree of alignment between security and business development Was security consulted Were controls designed in the systems or added later ISACA CISM Review Manual Page 71

78 Effective Security Metrics cont. Choose metrics that can be controlled Measure items that can be influenced or managed by local managers / security Not external factors such as number of viruses released in the past year Have clear reporting guidelines Monitor on a regular scheduled basis ISACA CISM Review Manual Page 71

79 Key Performance Indicators (KPIs) Thresholds to measure Compliance / non-compliance Pass / fail Satisfactory / unsatisfactory results A KPI is set at a level that indicates action should / must be taken Alarm point ISACA CISM Review Manual Page 71

80 End to End Security Security must be enabled across the organization not just on a system by system basis Performance measures should ensure that security systems are integrated with each other Layered defenses ISACA CISM Review Manual Page 74

81 Correlation Tools The CISM may use Security Event and Incident Management (SEIM, SIM, SEM) tools to aggregate data from across the organization Data analysis Trend detection Reporting tools Added value on exam but not in the ISACA book

82 Regulations and Standards The CISM must be aware of National Laws Privacy Regulations Reporting, Performance Industry standards Payment Card Industry (PCI) BASEL II Added value on exam but not in the ISACA book

83 Effect of Regulations Requirements for business operations Potential impact of breach Cost Reputation Scheduled reporting requirements Frequency Format Added value on exam but not in the ISACA book

84 Reporting and Analysis Data gathering at source Accuracy Identification Reports signed by Organizational Officer Added value on exam but not in the ISACA book